Professional Documents
Culture Documents
Juniper IPSec Site-To-Site VPN Tunnel Configuration
Juniper IPSec Site-To-Site VPN Tunnel Configuration
By David.K
Note:
Refer to the Juniper website on how to access the J-web interface for the first time and configure
SSL Web Access.
Tunnel configuration can be confusing, and a good way to understand it is to keep in mind that just as
there are two phases to tunnel negotiation, there are two phases to tunnel configuration. The following
procedure lists the order in which you must configure an IPSec tunnel if you use J-Web or the CLI editor..
Although you need not follow this sequence when using the CLI configuration editor, I recommend that
you do. If, for example, you go out of sequence and configure a Phase 1 policy before you have
configured a proposal, you cannot easily reference the proposal in the policy because it will not appear in
the interface.
Phase 1
Phase 2
In Phase 1 proposal configuration, you must set the authentication method and authentication and
encryption algorithms that will be used to open a secure channel between participants. In this example,
you create an IKE proposal called ike_prop_1 and specify that peers use preshared keys for encryption
and decryption, and that they use Diffie-Helman group 2 to produce the shared secret for the keys. You
specify md5 as the authentication algorithm and 3DES cypher block chaining (CBC) for encryption. And
you specify that after 300 seconds the participants renegotiate a new security association (SA).
Note: When configuring a Phase 1 proposal for the dynamic VPN feature, note that you must set the
authentication method to preshared keys.
To configure Phase 1 proposals you can use either the J-Web or CLI configuration editor.
During policy configuration, you must set the mode in which the Phase 1 channel will be negotiated,
specify the type of key exchange to be used, and reference the Phase 1 proposal. In this example, you
create a policy called ike_pol_1, specify that participants exchange proposals in aggressive mode, and
reference the proposal called ike_prop_1. You specifiy that the preshared key be of type ASCII, and enter
the key.
Note: When configuring an IKE policy for the dynamic VPN feature, note that you must set the mode to
aggressive. Also note that you must use preshared keys rather than manual keys or certificates.
Use the following command to display information about this IKE policy:
When creating the gateway, you must reference the Phase 1 policy. In this example, you create an IKE
gateway called ike_gateway_1, reference the policy ike_pol_1, and configure an IP address for the
gateway. You configure dead peer detection (DPD) to send a DPD request packet when the device has
not received traffic from a peer for 10 seconds, and to consider the peer unavailable after five sequences
of waiting 10 seconds and sending a DPD request packet. You also specify ge-0/0/0 as the outgoing
interface.
Use the following command to display information about this IKE gateway:
In Phase 2 proposal configuration, you must create a proposal, specify a security protocol, and select
authentication and encryption algorithms for the traffic that will flow through the tunnel. In this example,
you create a proposal called ipsec_prop_1, specify ESP as the security protocol, and set hmac-md5-96
as the authentication algorithm and 3des-cbc as the encryption algorithm. You also specify that the
security association (SA) terminate after 1,800 KB of data pass through it.
Use the following command to display information about this IKE proposal:
In Phase 2 IPsec policy configuration, you must create a policy and reference a Phase 2 proposal. In this
example, you create a policy called ipsec_pol_1 and reference the proposal ipsec_prop_1. You also
configure Perfect Forward Secrecy to use Diffie-Hellman Group 2 as the method the device uses to
generate the encryption key.
Use the following command to display information about this IKE proposal:
Configure IPsec Autokey IKE (and reference the policy and gateway).
In Phase 2 IPsec AutoKey configuration, you must create a VPN tunnel name, specify a gateway, and
reference a Phase 2 policy. If you are using Route mode, you must bind the tunnel to an interface. In this
example, you create a VPN tunnel named vpn_1 and bind it to interface st0.0, and you specify
ike_gateway_1 as the gateway for the VPN tunnel and reference the IPsec policy ipsec_pol_1.
IPsec Autokey IKE (and reference the policy and gateway). Using J-Web
Configuration
Use the following command to display information about this IKE proposal:
Thanks,
By David.K